Friday, November 4, 2011

PHP in Secure Environments

While PHP is by far the most popular framework for
web development, according to BuildWith Trends (2011) its popularity
is actually on a decline – the graph posted on the PHP.net website
is from 2007. Newer technologies such as ASP.NET Ajax, Ruby on Rails,
Adobe Flex and Microsoft Silverlight are gaining larger market share
(BuildWith Trends, 2011). On the other hand, the PHP framework is
being actively developed and supported therefore its popularity does
not play a major role when discussing security of the environment.

When discussion secure e-commerce environment, in
many cases the choice of the development language itself is not the
major influencing factor in the overall security stance. In many
cases, the hackers are targeting misconfigured or outdated services
rather than trying to exploit vulnerability such as buffer overflow
in the language interpreter (Verizon RISK Team, 2011). Moreover, Open
Web Application Security Project (OWASP) Top 10 web application
security risks highlight the fact that majority of exploitable
vulnerabilities are related to the web server such as
misconfiguration and insufficient transport layer protection, and the
security awareness of the software developers such as injection,
cross site scripting and insecure direct object reference (OWASP,
2010).

Security awareness of software developers is
considered by many security experts as the main factor impacting the
risk exposure of a web application (Dafydd Stuttard and Marcus Pinto,
2011). Lets consider SQL injection as an example; while the SQL
injection vulnerability was first documented in 1998
(rain.forest.puppy, 1998) and ranked as a number one security risk by
the Open Web Application Security Project (OWASP, 2010), the code
such as (potentially vulnerable to SQL injection):

Select
* from products where productCode=' " . $prodcode . " ' "

still appears in the university lecture notes
(Laureate Online Education, 2007).

Organizations such as PHP Groups and PHP Security
Consortium provide guides on security of PHP deployment and secure
code development using PHP. In addtion, the guide (PHP Security
Consortium, 2005) covers topics such as input validation, database
and SQL injections, session management and issues related to shared
hosts.